Quarkspwdump v0.1b - Windows credentials extraction

Quarks PwDump is a native Win32 tool to extract credentials from Windows operating systems.

It currently extracts:

Local accounts NT/LM hashes + history
Domain accounts NT/LM hashes + history
Cached domain password
Bitlocker recovery information (recovery passwords & key packages)

Supported OS : XP/2003/Vista/7/2008/8

Bitlocker and domain accounts information are extracted offline from NTDS.dit. It's not currently full offline mode cause the tool is dynamically linked with ESENT.dll which differs between Windows version (see README.txt for details).

Local account and cached information are extracted live from SAM and SECURITY hive in a proper way and without code injection or service installation.

In all cases, the tool must be executed on the targeted machine with administrator privileges.

Usage -

Here it is how you can use Quarks PWDump:

QuarksPwDump.exe <option(s)> <NTDS file>
Options :
    --dump-hash-local
    --dump-hash-domain-cached
    --dump-hash-domain (NTDS_FILE must be specified)
    --dump-bitlocker (NTDS_FILE must be specified)
    --with-history (optional)
    --output-type JOHN/LC (optional, if no=>JOHN)
    --output FILE (optional, if no=>stdout)

Dump options must be user all at once.
In all cases, the tool must be executed on the targeted operating system.

Some command examples:

- Dump domain hashes from NTDS.dit with its history
   #QuarksPwDump.exe --dump-hash-domain --with-history

- Dump local account hashes to LC format
   #QuarksPwDump.exe --dump-hash-local --output-type LC

- Dump domain hashes from NTDS.dit with its history
   #QuarksPwDump.exe --dump-bitlocker --output c:\bitlocker.txt c:\ntds.dit

All features require administrator privileges.

It can even dump the hashes in John The Ripper (JtR) or L0phtCrack formats with following command

#QuarksPwDump.exe --dump-hash-local --with-history --output-type LC

Download quarkspwdump v0.1b